toxiceye | hxxp://example[.]com

Resubmissions

16-07-2024 00:52

240716-a7538axekq 10

16-07-2024 00:38

240716-azbjmszcpe 10

16-07-2024 00:24

240716-aqbs2syhpd 10

Analysis

max time kernel
310s
max time network
329s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16-07-2024 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://example.com

Score

10^/10

toxiceye agilenet persistence rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot5536756167:AAFMcQrFbMZMBynbrtZUudaOT9ndCJXIqT4/sendMessage?chat_id=2024893777

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 7 IoCs

Processes:

XHVNC-Client.exeXHVNC-Client.exeXHVNC-Client.exeXHVNC-Client.exewin-xwarm-builder.exexwarm-rat-builder.exeUpdate.exe

pid	process
4628	XHVNC-Client.exe
3828	XHVNC-Client.exe
5028	XHVNC-Client.exe
5116	XHVNC-Client.exe
4996	win-xwarm-builder.exe
4940	xwarm-rat-builder.exe
4956	Update.exe

Loads dropped DLL 2 IoCs

Processes:

XHVNC.exeXHVNC.exe

pid process

1264 XHVNC.exe
3216 XHVNC.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1264-482-0x00000000064C0000-0x00000000066E4000-memory.dmp	agile_net

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
File opened (read-only) \??\F: explorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

XHVNC-Client.exeXHVNC-Client.exeXHVNC-Client.exeXHVNC-Client.exe

description	pid	process	target process
PID 4628 set thread context of 4184	4628	XHVNC-Client.exe	cvtres.exe
PID 3828 set thread context of 2104	3828	XHVNC-Client.exe	cvtres.exe
PID 5028 set thread context of 4940	5028	XHVNC-Client.exe	cvtres.exe
PID 5116 set thread context of 3580	5116	XHVNC-Client.exe	cvtres.exe

Drops file in Windows directory 3 IoCs

Processes:

explorer.exeSearchUI.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\2717123927\1590785016.pri	explorer.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4032412167\4002656488.pri	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 22 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1772 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

308 tasklist.exe

pid	process
1772	timeout.exe

pid	process
308	tasklist.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeSearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchUI.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133655634907244975"	chrome.exe

Modifies registry class 62 IoCs

Processes:

SearchUI.exeXHVNC.exeexplorer.exechrome.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	XHVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XHVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	XHVNC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XHVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	XHVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XHVNC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	XHVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	XHVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	XHVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	XHVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XHVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	XHVNC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	XHVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XHVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	XHVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	XHVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XHVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	XHVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XHVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065551368052"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f9c000000000000002000000e80707004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000025ffb21318d7da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80707004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000023d07d1318d7da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000006772bf1b8a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	XHVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	XHVNC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	XHVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	XHVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XHVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XHVNC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XHVNC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	XHVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	XHVNC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	XHVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1300 schtasks.exe
312 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

explorer.exe

pid process

3096 explorer.exe
3096 explorer.exe
3096 explorer.exe

pid	process
1300	schtasks.exe
312	schtasks.exe

pid	process
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

chrome.exechrome.exeXHVNC-Client.exeXHVNC-Client.exeXHVNC-Client.exeXHVNC-Client.exeUpdate.exe

pid	process
4748	chrome.exe
4748	chrome.exe
4600	chrome.exe
4600	chrome.exe
4628	XHVNC-Client.exe
3828	XHVNC-Client.exe
3828	XHVNC-Client.exe
3828	XHVNC-Client.exe
5028	XHVNC-Client.exe
5028	XHVNC-Client.exe
5028	XHVNC-Client.exe
5116	XHVNC-Client.exe
5116	XHVNC-Client.exe
5116	XHVNC-Client.exe
5116	XHVNC-Client.exe
5116	XHVNC-Client.exe
4956	Update.exe
4956	Update.exe
4956	Update.exe
4956	Update.exe
4956	Update.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

XHVNC.exeXHVNC.exe

pid process

1264 XHVNC.exe
3216 XHVNC.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4748 chrome.exe
4748 chrome.exe
4748 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe
Token: SeShutdownPrivilege	4748	chrome.exe
Token: SeCreatePagefilePrivilege	4748	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeXHVNC.exeexplorer.exe

pid	process
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
1264	XHVNC.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe

Suspicious use of SendNotifyMessage 52 IoCs

Processes:

chrome.exeexplorer.exe

pid	process
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe
4748	chrome.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

XHVNC.exeSearchUI.exeXHVNC.exeexplorer.exeUpdate.exe

pid	process
1264	XHVNC.exe
1264	XHVNC.exe
1264	XHVNC.exe
2468	SearchUI.exe
3216	XHVNC.exe
3216	XHVNC.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3096	explorer.exe
3216	XHVNC.exe
4956	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4748 wrote to memory of 4640	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 4640	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 520	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 4384	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 4384	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe
PID 4748 wrote to memory of 2912	4748	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://example.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbc4c59758,0x7ffbc4c59768,0x7ffbc4c59778
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1844,i,16061115830179690800,1772983874256026484,131072 /prefetch:2
  2⤵
  PID:520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 --field-trial-handle=1844,i,16061115830179690800,1772983874256026484,131072 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1980 --field-trial-handle=1844,i,16061115830179690800,1772983874256026484,131072 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2640 --field-trial-handle=1844,i,16061115830179690800,1772983874256026484,131072 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2652 --field-trial-handle=1844,i,16061115830179690800,1772983874256026484,131072 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 --field-trial-handle=1844,i,16061115830179690800,1772983874256026484,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4060 --field-trial-handle=1844,i,16061115830179690800,1772983874256026484,131072 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2480 --field-trial-handle=1844,i,16061115830179690800,1772983874256026484,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1668 --field-trial-handle=1844,i,16061115830179690800,1772983874256026484,131072 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=920 --field-trial-handle=1844,i,16061115830179690800,1772983874256026484,131072 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4276 --field-trial-handle=1844,i,16061115830179690800,1772983874256026484,131072 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1844,i,16061115830179690800,1772983874256026484,131072 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 --field-trial-handle=1844,i,16061115830179690800,1772983874256026484,131072 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 --field-trial-handle=1844,i,16061115830179690800,1772983874256026484,131072 /prefetch:8
  2⤵
  PID:4940

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3980

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1264

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC-Client.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC-Client.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4628
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3096
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:1316
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:5012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" G5LKJ4 127.0.0.1 8000 8FGOFE
  2⤵
  PID:4184

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2468

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3216

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC-Client.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC-Client.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3828
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:3916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" G5LKJ4 127.0.0.1 8000 8FGOFE
  2⤵
  PID:2104

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC-Client.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC-Client.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5028
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:3416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" G5LKJ4 127.0.0.1 8000 8FGOFE
  2⤵
  PID:4940

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC-Client.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC-Client.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5116
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:3836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" G5LKJ4 127.0.0.1 8000 8FGOFE
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" G5LKJ4 127.0.0.1 8000 8FGOFE
  2⤵
  PID:3580

C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Win-XwormRat-builder.exe
"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Win-XwormRat-builder.exe"
1⤵
PID:560
- C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe
  "C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe"
  2⤵
  - Executes dropped EXE
  PID:4996
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1300
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp93F.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp93F.tmp.bat
    3⤵
    PID:2452
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 4996"
      4⤵
      Enumerates processes with tasklist
      PID:308
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:4484
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1772
  - - C:\Users\Static\Update.exe
      "Update.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4956
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:312
- C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe
  "C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe"
  2⤵
  - Executes dropped EXE
  PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b6b755cf764f1ef240b704cae0b93975

SHA1
344595e9b73b39ed433d4de49cf1c9e2de5060bd

SHA256
68b3404fdc39c26215443b8748dc62ef34317abae17359a265345d363b580636

SHA512
06ab54236d2d9ee0eed899d31759db501bfe28c167c9ac0511e37ad5a9b6148f2b5e51046e726f2c4c4243e6bb0034c3d94538265d770342a463b80e5fc04bb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
dd929386e785d76b34d0a173f34cf052

SHA1
af84b849368ca99b045e0514c33da8b2d223cdd4

SHA256
cd7421b7759db5d3502cf0bebbb9a8ba7b760b8757b732bf849a7c58da778860

SHA512
59a2494c642907311eaf5ccdb4aa0ad50f06db40b7125d8208e05ecd79ee58b47266fe81215a88c1981785838ed23e67a3cf31fefd9c468e4c3c602928a0c359

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
9bc2370fd6bdcc768e2cc6de067f43ca

SHA1
0aaf9a626e030c6748005720dd5a2f45ae861d5a

SHA256
e20b47c3ea6eeb87f5b13281ca471cb468a45f19768d25f0915fb7ae3dcb4e04

SHA512
507005945fab5807dbbe7901e62392bf308cb1c1fa25aa1cba774b0f556ca334a20774ae8a599c0d8520c63b3c3cb21ada53f67cfd2ba90c62473aa2a27de9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ba55249c0d6097864e9bb281d2be7c0b

SHA1
740e73232627f1f497cf36a3937b24de7bc21a15

SHA256
43e5d86e96ff210a02728e614c0ebb067a61958d0a5fa3d2bb843e0a1f775d89

SHA512
16a8d55b80c5b70f8a3eb25fc8915e43199891a6bc63b386f178e2f988946b66ef1af75a9f5eff4875cf45c1223c0af6e47bb2a256db7387dc7d5e10b0ba0b41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e5f463fc4d889f31e51ae93d99183aca

SHA1
11d4346594753709afbc095ac99769345e119275

SHA256
815b04ff3c76a351d128496e6b48160463ca36b7d5265c62c655b2ebbe64cfbf

SHA512
da968df29d3e9988e92c149352d11889c292cd423a4be11e23e0b38744e0fa7b921276dfab6c53b03971a8b8f2c78a3b3d26fc8aaf260893f8cf7064fdb68941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8f6161a8ef53a586230534ca6f8adcc6

SHA1
a004d6364d826c2d1b19adab5a809f498cfc68c2

SHA256
70c3c4a8fdf724427ceb4cc66753729a08926a75f721b446e4b0b3825af0d096

SHA512
281605191b801d29fac941c5da351ef70dfd1503a933af28efb68d5640c67882a75564d128317469a35474ad74fd76fc9b1166b63d974c0f7c1c7ce5797650c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
17b1ac272e593658031b82e16b084e4d

SHA1
c721855a6c5815bd211b0b4b663727bc7ce06c19

SHA256
d1b46f63df38120a038bbc2038a267ec630c6fb1fb6dbbac89269827cbff2217

SHA512
1ba2b543e11b31825975f43f5157b3a926acc5d85a2d298c0eca5e33ab707bca8c03bfc93d6ce49b88bb18549369880dbcbf9989f4cc42c9873b09b4bfaaff20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
99546923c22dc7fbb7a8fe95ea0c3ebb

SHA1
7d7519f091a3f0e04123e4482d006e7fb1ac720a

SHA256
94178fab8e104154acc62bf2054ebfd111b6ce95365c40da15f77a22fd25f324

SHA512
c6d465ab7b0ca479d46e91861072a3bf916de7dbfca9f37e3f98d95061155d8c24373c57b943b7225252460dd2708909e41986ebc68ecc13418a1c9e4df94dd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f9a8142674fefb2f5f36df2b8a00f48d

SHA1
10757c024e959263e68f0dcd7f80a0dc6118368c

SHA256
ef7f294cd1d61dcd3e29f5f746552d62a364a59cffae8f3bbcd72add32ae44cd

SHA512
91416f710fc971c1fd55ddeafa07d967eee18e6c4c83dc9f6557ef7d668e71e85b4db65b1a0b0707d7d903d48ff5864f3b42c2d3ee8c207ec841daaa6d3d542d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
aa9577adfd173862303487d9b137d477

SHA1
114a323ae037257f9c339a8cf703454e45ba2a50

SHA256
5258fe5998c664751d343342c34c5d19d22d2393e6a2fb55fea057219880ad87

SHA512
93bd2dc1110bcb8029d0591d4feff39d27afe7ee521c6a6485ac9fd68cdd4d7ec01920122d6151585d7dd2435e36c21d1e9016b4a5bd1cf356f288f873d5dc32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ac3de63a6bb39362cb359189ebcf6592

SHA1
40866b7f5b1098274ab0101d5183d160757c7994

SHA256
bd386635c6f34424e532f400dad09754844baba24cc69a5c14b1fed136c1aaa5

SHA512
0edf20b36e606a35aaf60a0af64fc1cd66e19f4f91ba6e191fb798022203ec82dd998ddce0ecef66f35fc9a886077a13e5244afe3f8c7a4f93ace84916892fb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4e510cc1b7c863aa46f0e11e0a6ef5e1

SHA1
fc48271a0f51e7defa16d4e840b40fb69bc157c7

SHA256
f5be7bdff5cc1c01c3946d907489ac674e21177a128c5dfa7d9ed616937e30fa

SHA512
18217724543e47ef770dadef49830af6589e71b25f12a07750c67bcbb83e5c74c7a2ba8238aa9628d8f34e38014972fd69d43dec845f5e6f9500a9d42bd2d746

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
695e33f62dc523c6860cfaa31067cdc0

SHA1
acd711e2c373b7f296fdc0db5dbbc91a6e447775

SHA256
ddad50ea8c125314c10a20239ee1ccd37fa632e5db67c150a6f77e75a62f74f6

SHA512
c50da329051ffa89f4c24ae70983845bfef04ab3268c19421db7e47eb5b808bde8a9a2e51d1f6e28e474054d54feffa368d3d4e1547373af6a26a2ba7a19e935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
9987f9e66df6527304857b6d3a174544

SHA1
fca3cad6803967809805a5c064cbb2683fd8362e

SHA256
855d06b5221fc215967495a26dae0f829e3c5c4ccf7bd891b60e0572b9b37a27

SHA512
6b0665fad00d672a6b5822ef050798898fa7ee9cfd80c1b1e6c62bf6f3ecbb254104dda5cf4a9116ed137fafb50f4e7e1ef461e948e0a2fdbc4fa3eceed71906

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
22cb4a6b299433361aca89b18e58d5e1

SHA1
5009f5ce6f8fcc7ad613ccc267afaf20470eb14d

SHA256
311d4baf913543ea340613e1c576220e5f5d2a8994c0c36f46ebd014bd43708d

SHA512
21efff565f40fb532b9c67e17cb4175ccda5f216e5687e8f700354f22f3da1c13b99eef3daff89bbc62016f2003e3279eecfe5c936e49bc72e740b5510ee4f4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
3532156d391a7640f180b8b792f65d5e

SHA1
62b52d198af6abfb9c4deff6c84e1e7d3fe92b24

SHA256
26944fec5e363161a9db9a7b68b161139550048ddd763b982ddb017bc0c434b0

SHA512
cbd3b92321e293bf0ae1ed7e752a097c049e220d1e50d93221ffaa5066535fd803203ebc2ad8e95c279a578592491301078e19f8eae21a5323e315f859951835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59e5f1.TMP

Filesize
91KB

MD5
92daf009e982d32ac90252a27d147f24

SHA1
85a990d544c052afb062e68eb51e25cb813c12ba

SHA256
0528c4e443df95e675589e2462e4fb9dc74fda8c9281913592dbd8fda7782ef6

SHA512
ee29d1090b9e2ce2747c3ba2a17861f8732bb1f3469ebced8e807bf341db4b1ad7ebb842e55237d451a76925978fa664b0ee12471ee6e2e37252cf23f5d4c126

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XHVNC-Client.exe.log

Filesize
1KB

MD5
8f4ba7b37890617c43737e431c0f2d3f

SHA1
99e2aa08b1f5d0dbb4e8ceadfedcc88c433654c5

SHA256
fc8a9265c1dbcf55912abdd747c068c7e3c78f0f61a6f29cb71c7f76cab35443

SHA512
33209bed5d66a6eb5ba6672565dd2233e7ced50bfd2334b585258d0d8cf2d06aa59972c29745a7f830c2352a3be5e2990b876048153ef8201daa28dda7610fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XHVNC.exe.log

Filesize
1KB

MD5
63848be6ff0c3c94121c8bad7226ab04

SHA1
233dfb8886f09510fb9881433e0f1ac8036fcdfa

SHA256
65dc3054cede00f0744687252f721bc42109841e7cb4ead1b20855064abf3686

SHA512
9f2384faab96c37e783d5fd6a81abf9f8fa7082af65b66c35b75f5201911e04ad2f9c1098fe1e0fa47eaa5425f7a8f3903629b3639e5f992a982f4acff89c04f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp93F.tmp.bat

Filesize
195B

MD5
c441ca7501a6de6cc8629c7b5707e8ab

SHA1
b14aaa862f82d16df7226ba5efbd281ef624a488

SHA256
23313bb9cd690b0a8d8d168b53426ac0249bca56f0283670c8851993f9bf8f23

SHA512
07ee6f6e8fee605cee835e495590c16fb5556743e1b544db5227b195f82ed25c5f9ee958fcab41c03da24f276a1a35100adaae6e9408ee6900463110c3c11511

Download Submit
C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe

Filesize
127KB

MD5
f6f686df785d0abdc66d1f90fa508c4b

SHA1
75f348132001df30cbad9c7cae2e2072fcaca38e

SHA256
61b52af14fc66126a4e7f09b3cff7d3c09e5ad35acf23fb9ba43293fac0c995f

SHA512
7daa425723caade3ec747fbe6e425e26bc419e1a7dccd6253770fe1a118a8b90e0f40f6cf4bdac259e68a0198a384ed1b5de7515958f5e17e4e35219b9077d77

Download Submit
C:\Users\Admin\Downloads\XWorm-RAT-main.zip

Filesize
33.7MB

MD5
3c583f36fdd166613ec8b5f81597e5e9

SHA1
f3e9cbfb5749212f2d54f36b391b7d03bdd303a9

SHA256
8f71cc2fc5fd1b3e16377f0ca36067467280f6a63f7924f3fad273717c1f505e

SHA512
072931cc7b3812d7681c879169b0ba0a1981e0c23d3549e223e29331a24c4ec5249964d2c636ec07b0ba2c3e3c81c236e0ccaf3e40d373dc2a6adc235fbcfa6b

Download Submit
C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC-Client.exe

Filesize
61KB

MD5
9e7b9de71e753d862689cf0d823da6b3

SHA1
4550f79db9847e2f067fd8fc143112b6d6b359be

SHA256
50c30236206de1f47b43348dbf49ee185bbaa88caa95867484574bdc7fdadc07

SHA512
1495269071ebefcc5b531421f3d7d0a7bf701221ca70b8c43617b1cd90b4fec8ee98ce09997884603a4d9dbddbe33f71214c61db7545d4e796b1b06ef08d5733

Download Submit
C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe

Filesize
6.5MB

MD5
a21db5b6e09c3ec82f048fd7f1c4bb3a

SHA1
e7ffb13176d60b79d0b3f60eaea641827f30df64

SHA256
67d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5

SHA512
7caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c

Download Submit
\??\pipe\crashpad_4748_LNMGJWFCDUTTZXXM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/560-696-0x00000184CB410000-0x00000184CB4FE000-memory.dmp

Filesize
952KB

Download
memory/560-708-0x00000184E59F0000-0x00000184E5A10000-memory.dmp

Filesize
128KB

Download
memory/560-709-0x00000184E5AD0000-0x00000184E5ADA000-memory.dmp

Filesize
40KB

Download
memory/1264-482-0x00000000064C0000-0x00000000066E4000-memory.dmp

Filesize
2.1MB

Download
memory/1264-493-0x0000000073E2E000-0x0000000073E2F000-memory.dmp

Filesize
4KB

Download
memory/1264-491-0x000000000A540000-0x000000000A660000-memory.dmp

Filesize
1.1MB

Download
memory/1264-474-0x0000000073E2E000-0x0000000073E2F000-memory.dmp

Filesize
4KB

Download
memory/1264-475-0x0000000000750000-0x000000000093A000-memory.dmp

Filesize
1.9MB

Download
memory/1264-502-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/1264-476-0x0000000005830000-0x0000000005D2E000-memory.dmp

Filesize
5.0MB

Download
memory/1264-481-0x00000000060E0000-0x00000000060EA000-memory.dmp

Filesize
40KB

Download
memory/1264-477-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/1264-478-0x0000000005330000-0x00000000053CC000-memory.dmp

Filesize
624KB

Download
memory/1264-479-0x0000000002C10000-0x0000000002C76000-memory.dmp

Filesize
408KB

Download
memory/1264-594-0x0000000007570000-0x0000000007584000-memory.dmp

Filesize
80KB

Download
memory/1264-604-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/1264-490-0x0000000072890000-0x0000000072910000-memory.dmp

Filesize
512KB

Download
memory/1264-480-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/2468-505-0x00000222AF800000-0x00000222AF900000-memory.dmp

Filesize
1024KB

Download
memory/2468-510-0x00000222AFDB0000-0x00000222AFDD0000-memory.dmp

Filesize
128KB

Download
memory/2468-525-0x00000222AFF30000-0x00000222AFF50000-memory.dmp

Filesize
128KB

Download
memory/2468-506-0x00000222AF800000-0x00000222AF900000-memory.dmp

Filesize
1024KB

Download
memory/3096-503-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/3216-616-0x0000000072890000-0x0000000072910000-memory.dmp

Filesize
512KB

Download
memory/4184-497-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4628-496-0x0000000000D80000-0x0000000000D96000-memory.dmp

Filesize
88KB

Download
memory/4940-710-0x0000000000010000-0x00000000006A2000-memory.dmp

Filesize
6.6MB

Download
memory/4940-711-0x00000000051D0000-0x0000000005226000-memory.dmp

Filesize
344KB

Download
memory/4996-704-0x0000020D62120000-0x0000020D62146000-memory.dmp

Filesize
152KB

Download